Today is a good time to think about improving HIPAA compliance in 2022. The cybersecurity landscape is shifting, and healthcare is still a key target of unscrupulous threat actors. There also will likely be changes in HIPAA law requiring modifications to policies and procedures, and additional training will be needed to help staff understand how to comply. The good news is you can tackle these challenges now with simple steps.
Cybersecurity Landscape Ahead
A recent article in HealthITSecurity lays out predictions about what to expect in healthcare from cybersecurity experts. Three predictions stand out:
- ransomware attacks will escalate
- there is a cybersecurity workforce shortage
- healthcare will struggle with implementing stronger cybersecurity protections
Experts point out that ransomware became harsher in 2021. They point to the rise in double extortion ransomware and increasing numbers of attacks on supply chain organizations, like SolarWinds, Kaseya and Sunburst. Cyberattacks on the supply chain give threat actors access to much larger pools of data. The supply chain vendor is essentially an entrance ramp to multiple healthcare entities at once. Double extortion occurs when the attacker exfiltrates data first, then encrypts it, and only then demands a ransom. This is a more ruthless and aggressive tactic than demanding ransom before exfiltration.
The key takeaway for covered entities and business associates is that these risks can be managed with strong HIPAA compliance. HIPAA Risk Analysis and Risk Management is still the gold standard for keeping risks at a manageable level. Far too many ransomware attacks succeed because organizations have not kept up with the basics of prevention, including offsite data backups, access management, business associate due diligence and workforce training.
Possible Changes in HIPAA Law
In early 2021, the U.S. Department of Health and Human Services (HHS) published proposed changes to the HIPAA Privacy Rule. (We last covered these proposed changes in June, 2021, and that summary still applies.)
The new proposed modifications are intended to improve the coordination of care, expand the patient right of access to their medical records and reduce regulatory burden on the healthcare industry. The changes are focused on putting patients first by reducing unnecessary administrative burdens. They also advance the push towards the goal of interoperability building on HITECH and 21st Century Cures Act.
A full review of all the proposed changes is beyond the scope of today’s blog, but the key elements are:
- Strengthens the patient right to access their medical records
- Makes it easier for providers to disclose protected health information (PHI) for care coordination and social services
- Removes requirement of patient acknowledgment of receipt of Notice of Privacy Practices (NPP)
- Revises NPP content requirements to clarify how patients may exercise their individual rights
- Potential changes to the National Institute of Standards and Technology (NIST) guidelines
The final rule date is currently unknown. We note that the compliance date is not until 240 days after the rule is made final – depending on how quickly HHS moves on completing the rule, the actual date of compliance may not be until next year. A new director for the HHS Office for Civil Rights (OCR), Lisa J. Pino, was announced on September 27, 2021.
Prepare for Tomorrow Today
Preparing for possible changes in the law overlaps with preparing for increased cybersecurity threats.
- Review and revise your HIPAA Risk Analysis
- Review policies and procedures to make sure they are up to date today, making future changes less burdensome
- Emphasize to staff the importance of providing patients with access to their medical records – this has long been an OCR enforcement priority
- Refresh workforce training, in basic HIPAA compliance and cybersecurity awareness
If you need help with strengthening compliance and preparing for tomorrow today, let The HIPAA E-Tool® be your guide.